Home Depot To Pay $25M To Settle Banks’ Data Breach Claims

Law360, New York (March 9, 2017, 12:17 PM EST) -- Home Depot has agreed to pay $25 million and strengthen its data security practices to resolve a putative class action brought by financial institutions after a 2014 data breach that compromised 56 million credit and debit card numbers, according to documents filed in Georgia federal court late Wednesday.

According to a memorandum in support of the financial institutions' unopposed motion for preliminary approval of the proposed settlement, the parties "after several years of contentious litigation" have reached an agreement that would require Home Depot to pay $25 million into a non-revisionary fund to be distributed to financial institutions that have not already released their claims against the retailer for losses stemming from the headline-grabbing payment card data breach.

Financial institutions that file a valid claim will be eligible to receive a fixed payment estimated to be $2 per compromised card without having to submit documentation of their losses and regardless of whether any compensation already has been received from another source, according to the agreement. Class members that submit proof of losses also are eligible for a supplemental award of up to 60 percent of their documented, uncompensated losses from the data breach, the plaintiffs noted.

The retailer also has agreed to pay up to $2.225 million to institutions whose claims were released by a sponsor, such as a card processor, in connection with the card brand recovery program provided by MasterCard. Home Depot has paid out about $14.5 million in premiums to MasterCard and Visa issuers in exchange for releases. The plaintiffs, however, have challenged the validity of the releases made in connection with the MasterCard program, arguing that the sponsors lacked authority to enter into them and that communications sent to the sponsored entities were misleading and coercive.

"Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards," said Jim Nussle, president and CEO of the Credit Union National Association, a plaintiff in the case, in a statement announcing the settlement on Thursday. "This settlement would be a step toward making them whole again."

CUNA added that it believed that the pact — which comes on the heels of Home Depot's agreement last March to fork over $13 million, fund identity protection services, and implement new data security measures to settle a putative class of consumers’ claims over the breach — "represents one of the better outcomes in data breach litigation."

Aside from the payment to affected banks, the settlement also requires Home Depot to "implement enhanced security measures to reduce the risk of a future data," and pay the costs of notice to eligible financial institutions and attorneys' fees. While there is no agreement regarding the amount of attorneys' fees, the class will be notified that counsel may request up to $18 million, which amounts to less than 30 percent of the total of the $25 million settlement fund, the $2.25 million for sponsored entities, the $14.5 million in premiums paid as part of the card brand recovery processes and other costs and fees, according to the agreement.

Home Depot has also agreed to finance a service award of up to $2,500 for each of the financial institutions named in the consolidated class action complaint, the agreement noted. The plaintiffs include 50 financial institutions from 44 states as well as 16 state credit union associations and CUNA.

“We’re hopeful credit unions will see more victories in data breach suits going forward," Nussle said, adding that in the meantime, "CUNA will continue pursuing a legislative solution that will result in stricter merchant data security standards, making it much harder for merchants to compromise payment card information.”

A representative for Home Depot did not respond to a request for comment Thursday.

Dozens of banks and credit unions hit Home Depot with 25 class actions after the retailer confirmed in 2014 that hackers had placed malware on its self-checkout kiosks in stores across the country, allowing them to steal approximately 56 million customers’ personal financial information, including names, payment card numbers, expiration dates, and security codes.

The financial institutions' cases, which were consolidated in December 2014, alleged that the breach was “the inevitable result” of Home Depot data-security practices “characterized by neglect, incompetence and an overarching desire to minimize costs.” They claimed the retailer had ignored red flags, expert opinions, employee warnings and industry standards in its repeated refusal to upgrade security, and that their losses from the resulting fraud were in the billions.

CUNA said in its statement Thursday that its research into the data breach found that the intrusion cost credit unions alone around $60 million.

U.S. District Judge Thomas Thrash Jr. gave the financial institutions a boost in May when he allowed the overwhelming majority of their claims to remain, saying that they had pled actual injuries that gave them standing.

In July, Home Depot asked the district court to certify that ruling for interlocutory appeal to the Eleventh Circuit. The retailer argued that the decision raised at least six novel questions of law that would benefit from immediate resolution, including whether financial institutions have Article III standing to assert claims arising out of a data breach, whether retailers owe banks a duty to protect against third-party criminal hacks, and whether financial institutions can bring a negligence claim premised on an alleged violation of Section 5 of the Federal Trade Commission Act.

That motion was still pending when the parties announced their resolution Wednesday.

The case against Home Depot shared similarities with proposed class actions brought by banks and credit unions in the wake of other major data breaches. For example, Target Corp. agreed in December 2015 to pay $39 million to settle financial institutions' claims after a Minnesota federal court refused to toss most of the litigation and certified a class of all financial institutions that issued cards affected by the hack, and Wendy's is currently facing litigation mounted by CUNA and more than two dozen other financial institutions that allegedly incurred expenses following the theft of payment card data at the fast food restaurant last year.

Our experienced and knowledgeable team of attorneys and compliance professionals help CFOs, risk managers and compliance officers nationwide stay up-to-date with consumer and regulatory requirements across the entire financial institution